Enhance the security and operational capabilities of your Azure Kubernetes Service with Advanced Container Networking Services, now generally available

1 month ago 11
News Banner

Looking for an Interim or Fractional CTO to support your business?

Read more

With the accrued adoption of cloud-native technologies, containers and Kubernetes person go the backbone of modern exertion deployments. Microservices-based instrumentality workloads are easier to scale, much portable, and resource-efficient. With Kubernetes managing these workloads, organizations tin deploy precocious AI and instrumentality learning applications crossed divers compute resources, importantly improving operational productivity astatine scale. With this

With the accrued adoption of cloud-native technologies, containers and Kubernetes person go the backbone of modern exertion deployments. Microservices-based instrumentality workloads are easier to scale, much portable, and resource-efficient. With Kubernetes managing these workloads, organizations tin deploy precocious AI and instrumentality learning applications crossed divers compute resources, importantly improving operational productivity astatine scale. With this improvement of exertion architecture comes a beardown request for built-in granular information controls and heavy observability, however, the ephemeral quality of containers makes this challenging. That’s wherever Azure Advanced Container Networking Services comes in.

We’re excited to denote the General availability of Advanced Container Networking Services for Azure Kubernetes Services (AKS), a cloud-native purpose-built solution to heighten information and observability for Kubernetes and containerized environments. Advanced Container Networking Services focuses connected delivering a seamless and integrated acquisition that allows you to support robust information postures and summation heavy insights into your web postulation and exertion performance. This ensures that your containerized applications are not lone unafraid but besides conscionable your show and reliability goals allowing you to confidently negociate and standard your infrastructure.

graphical idiosyncratic    interface, timeline

Let’s instrumentality a look astatine the instrumentality web information and observability features of this release.

Container Network Observability

While Kubernetes excels successful orchestrating and managing these workloads, 1 captious situation remains: however bash we summation meaningful visibility into however these services interact? Observing the web postulation of microservices, monitoring performance, and knowing dependencies betwixt components are indispensable for ensuring some reliability and security. Without this level of insight, show issues, outages, and adjacent imaginable information risks tin spell undetected.

To genuinely recognize however good your microservices are functioning, you request much than conscionable basal clump level metrics and virtual web logs. Comprehensive web observability requires granular web metrics including node-level, pod-level, and Domain Name Service (DNS)-level insights. These metrics let teams to place bottlenecks, troubleshoot issues, and show the wellness of each work successful the cluster.

To code these challenges, Advanced Container Networking Services delivers almighty observability features tailored specifically for Kubernetes and containerized environments. Advanced Container Networking Services provides real-time and elaborate insights crossed node-level, pod-level, and some Transmission Control Protocol (TCP) and DNS-level metrics ensuring that nary facet of your web goes unnoticed. These metrics are important successful identifying show bottlenecks and resolving web issues earlier they interaction the workloads.

Advanced Container Networking Services web observability features include:

  • Node-level metrics: These metrics supply insights into postulation volume, dropped packets, fig of connections, etc. by node. The metrics are stored successful Prometheus format and tin beryllium viewed successful Grafana.
  • Hubble metrics, DNS, and pod-level metrics: Advanced Container Networking Services uses Hubble to cod metrics and including Kubernetes context, specified arsenic root and destination pod sanction and namespace information, allowing network-related issues to beryllium pinpointed astatine a much granular level. Metrics screen postulation volume, dropped packets, TCP resets, L4/L7 packet flows, and more. There are besides DNS metrics, covering DNS errors and unanswered DNS requests.
  • Hubble travel logs: Flow logs supply visibility into workload connection aiding successful knowing however the microservices pass with 1 another. Flow logs besides assistance reply questions specified as: did the server person the client’s request? What is the round-trip latency betwixt the client’s petition and server’s response?
  • Service dependency map: This postulation travel tin besides beryllium visualized utilizing Hubble UI, it creates a service-connection graph based connected travel logs and displays travel logs for the selected namespace.
graphical idiosyncratic    interface

Container Network Security

One of the cardinal challenges with instrumentality information stems from the information that Kubernetes by default allows each connection betwixt endpoints introducing precocious information risks. Advanced Container Networking Services with Azure CNI powered by Cilium enables precocious good grained web policies utilizing Kubernetes identities to lone let permitted postulation and unafraid endpoints.

While accepted web policies trust connected IP-based rules for outer postulation control, outer services often alteration their IP addresses. This makes it hard to enforce and guarantee accordant information for workloads communicating beyond the cluster. With the Advanced Container Networking Services’ afloat qualified domain sanction (FQDN) filtering and information cause DNS proxy, web policies tin beryllium insulated from IP code changes.

In the pursuing section, we’ll excavation deeper into however FQDN filtering tin alteration the mode you unafraid Kubernetes networking.

FQDN filtering and information cause DNS proxy

The solution consists of 2 main components: the Cilium Agent and the information cause DNS proxy. Combined, they seamlessly integrate FQDN filtering into Kubernetes clusters allowing for much businesslike and manageable power implicit outer communications.

text

Cilium Agent

The Cilium Agent is simply a captious networking constituent that runs arsenic a DaemonSet wrong clusters utilizing Azure CNI powered by Cilium. The cause handles networking, load balancing, and web policies for pods successful the cluster. For pods with enforced FQDN policies, the Cilium Agent redirects packets to the DNS Proxy for sanction solution and updates the web argumentation utilizing the FQDN:IP mappings obtained from the DNS Proxy.

Security Agent DNS Proxy

The DNS proxy that is portion of the information cause runs arsenic DaemonSet successful Azure CNI powered by Cilium clump with Advanced Container Networking services enabled. It handles DNS solution for pods and connected palmy DNS resolution, it updates Cilium Agent with FQDN to IP mappings.

Running the information cause DNS proxy successful a abstracted daemonset (acns-security-agent) alongside the Cilium cause ensures that pods proceed to person DNS solution adjacent if the Cilium Agent is down oregon undergoing an upgrade. With the Kubernetes’ maxSurge upgrade diagnostic the DNS proxy remains operational during upgrades. This plan guarantees that web connectivity for indispensable lawsuit workloads is not disrupted owed to DNS solution issues.

Customer adoption and scenarios

Advanced Container Networking Services was deployed by galore interior and outer customers adjacent during its preview for the pursuing usage cases:

  • Troubleshooting exertion degradation and DNS solution timeouts utilizing DNS errors and metrics.
  • Applications and pods intermittently suffer connectivity to different pods oregon outer endpoints. Pod metrics amusement clump admins dropped packet counts, TCP errors and retransmissions to assistance debug connectivity issues faster.
  • Flow logs for debugging web connectivity issues.
  • To alteration clump information and marque policies much resilient successful lawsuit of IP code changes, mounting Cilium web policies utilizing FQDNs alternatively of IP addresses greatly simplifies argumentation management. 

At H&M Group, level engineering is simply a halfway practice, supported by our cloud-native interior developer platform, which enables autonomous merchandise teams to physique and big microservices. Deep web observability and robust information are cardinal to our success, and the Advanced Container Networking Service features assistance america execute this. Real-time travel logs accelerate our quality to troubleshoot connectivity issues, portion FQDN filtering ensures unafraid connection with trusted outer domains.” Magnus Welson, Engineering manager, instrumentality platform, H&M Group

The precocious observability offered by Advanced Container Networking Services helped america tremendously erstwhile we were investigating a high-impact occupation successful 1 of Japan Tobacco International AKS clusters. With the insights provided by Advanced Container Networking Services we were capable to pinpoint the contented to DNS show and past corroborate that the remediation we applied was successful” — Andrew Wytyczak-Partyka, CEO Codewave, Alexandru Popovici, DevOps & Security Manager, JT International

At Ferrovial, connected our firm Kubernetes level (called Kubecore), we usage the Advanced Container Networking Service to debug connectivity issues successful our applications, utilizing real-time web travel tools, bringing america afloat details. Additionally, DNS errors and metrics disposable astatine the workload level springiness america heavy web visibility to troubleshoot exertion degradation faster.”Victor Fernandez, Senior Cloud Architect,  Ferrovial

Conclusion

As you proceed your travel successful the cloud-native space, the value of integrating information and observability into each furniture of your infrastructure cannot beryllium overstated. With the close tools successful place, you tin determination faster, innovate more, and bash truthful with assurance that your workloads are some disposable and protected.

Learn much astir Advanced Container Networking Services successful Azure

Read Entire Article